[strongSwan] Strong swan IKE issue.

Andrii Petrenko aplsms at gmail.com
Mon Mar 19 19:01:10 CET 2018

Tobias, thank you for reply.

Remote side is not supporting pfs.

IKE Phase One Parameters:	
Encryption Algorithm:	AES 256
Hash Algorithm:	SHA
Authentication Method:	Pre-shared key
Key Exchange:	Diffie Hellman Group 5
IKE SA Lifetime:	86400 (Cisco default)
IKE Phase Two Parameters (IPSEC):	
Authentication:	ESP with SHA-HMAC
Encryption Algorithm:	ESP-AES 256
SA Establishment:	ipsec-isakmp (IKE negotiated)
IPSEC Mode	Tunnel (Cisco default)
IPSEC SA Lifetime (time)	3600 seconds
IPSEC SA Lifetime (volume)	4608000 kilobytes
PFS (Perfect Forward Secrecy)	No
Optional encryption if requirements differ from above:	
esp-3des esp-md5-hmac	
esp-aes 256 esp-sha-hmac	
esp-aes 128 esp-sha-hmac	

This information I have from remote side. 

Is it possible to se what offer remote side?

Thank you,

> On Mar 19, 2018, at 10:52, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Andrii,
>> I see the problem on IKE side, but don’t know how to debug and fix it.
> The log tells you _exactly_ what the problem is:
>> 12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]
>> 12[IKE] received NO_PROPOSAL_CHOSEN error notify
> The peer doesn't like the crypto proposal sent by the client.  So fix
> the `esp` setting in the config (maybe you have to enabled PFS by adding
> a DH group, ask the other server admin for the correct algorithms).
> Regards,
> Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180319/c63fe35e/attachment-0001.html>

More information about the Users mailing list